1. Field of the Invention
The present invention relates to a system and a method for controlling the same, an access management service system and a method for controlling the same, and a non-transitory computer readable medium.
2. Description of the Related Art
The recent popularization of cloud computing provides increasing opportunities for coordinating a plurality of services (e.g., document creation services) to create added values. On the other hand, the coordination of services poses several problems.
For example, as a result of coordination among services, more information than a user wishes to exchange is exchanged among services, resulting in the risk of leaking of user data and personal information. For example, it is not desirable that any service other than services that provide results desired by the user acquires the user data, the personal information and the like at the time of achieving service coordination among various services. On the other hand, from the standpoint of service providers, it is preferable that the arrangement of service coordination can be easily implemented.
Under such circumstances, the standard protocol called “OAuth” for implementing coordination of authorization has been defined (e.g., see, D. Hardt, “The OAuth 2.0 Authorization Framework”, [online], Jul. 31, 2012, [retrieved on 2013-03-25], the internet <URL: http://tools.ietf.org/html/draft-ietf-oauth-v2-31>). According to OAuth, for example, data of a user that is managed by a given service A can be accessed by an external service B that is authorized by that user. At this time, the service A is supposed to clarify the range that can be accessed by the external service B, and thereafter obtain explicit authorization to access made by the external service B from the user. The explicit authorization performed by the user is referred to as “authorization operation”.
If the user performs the authorization operation, the external service B receives a token (hereinafter referred to as “authorization token”) that certifies that access has been approved by the service A, and subsequent access can be implemented by using the authorization token. Thereby, the authority of the user to the service A can be delegated to the external service B. Then, with the use of the authorization token, the external service B can access the service A by the authority of the user who has performed authorization, without the authentication information of the user. As a result, the external service B that has received authorization from the user and has acquired the authorization token is obliged to manage the authorization token in a strict and appropriate manner.
Furthermore, according to OAuth, in addition to confirming the side that delegates authority, the side to which authority is delegated can also be confirmed. For example, if the user authorizes the external service B to access the service A, it is possible to confirm whether the user has authority to use the service A, and confirm whether the external service B has authority to use the service A.
In regard with the confirmation of the side to which authority is delegated, there is a method in which the user explicitly specifies an external service to which authority is delegated at the time of performing an authorization operation (e.g., Japanese Patent Laid-Open No. 2006-254464). With this method, it is possible to achieve service coordination by authorization, while limiting external services.
In service coordination by authorization, in some cases, it is desired to prevent access from any external service other than a specific external service even if it is authorized by the user. An example of such a case is where an external service X, which is an intra-company system of a company A, and a cloud service Y are coordinated. If a user A of the company A has authority to use the cloud service Y, delegating authority to use the cloud service to the external service X allows the external service X to access information of the company A on the cloud service Y.
Here, it is assumed that the cloud service Y is a model that manages information of a plurality of companies on the same service in units of tenants. In that case, on the cloud service Y, a company B may exist as a tenant different from the company A and a user B of the company B may have authority to use the cloud service Y. If the user B delegates authority to use the cloud service Y to the external service X, the external service X can access the information of the company B on the cloud service Y. In this case, the external service X, which is an intra-system of the company A, can access the information of the company B, and therefore, a security problem could arise. In this way, there are cases where some external services should not be granted access even if they are authorized by the user.
However, according to the current OAuth, if each of the user B and the external service X has authority to use the cloud service Y, the authority to use the cloud service Y can be delegated from the user B to the external service X. Accordingly, to prevent the external service X from accessing the information of the company B, it is necessary to manage the range of information that can be accessed by the external service X in the cloud service Y.
However, this method cannot prevent an authorization operation itself and thus has a problem in that needless authority delegation processing can be executed. That is, the above-described method cannot prevent the authorization operation itself, and therefore, an authorization token can be issued by the user B performing the authorization operation and delegating authority to use the cloud service Y to the external service X. However, if the external service X tries to access the cloud service Y by using this authorization token, it is determined in the cloud service Y that the external service X does not have authority and thus the access is denied. In this way, the authority that cannot be used can be delegated, and an authorization token that cannot be used can be needlessly issued. In addition, it is not preferable that the user can delegate, to an external service, the access right to information that cannot be accessed by the external service.
The above-described method also has a problem in that a large burden is placed on the cloud service. For example, the cloud service has to manage external services that are granted access for each of all tenants. Moreover, each time an access request is made from an external service, the cloud service also has to determine whether access is granted or denied.